Hallo, * Julien Cristau [Thu, Feb 28 2013, 05:14:08PM]: > On Wed, Feb 27, 2013 at 21:05:45 +0100, Eduard Bloch wrote: > > > Hallo, > > * Thijs Kinkhorst [Wed, Feb 27 2013, 06:52:05PM]: > > > > > Package pigz/2.2.4-2 was uploaded to sid fixing CVE-2013-0296 (#700608). > > > > > > The maintainer also added hardening flags. This may be on the border of > > > acceptable/unacceptable for an unblock. Please let me know either way. > > > > Thanks for reporting. If the hardening flags are not acceptable I can > > just build another revision disabling them. Just tell me soon enough. > > > I'd prefer to have the security fix on its own.
Ok, here we go. pigz 2.2.4-3 is uploaded, debian-diff and debdiff attached here (note: debdiff gets slightly confused on hardlinks). Regards, Eduard.
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .deb but not in first
-------------------------------------
-rw-r--r-- root/root /usr/share/man/man1/pigz.1.gz
-rwxr-xr-x root/root /usr/bin/unpigz
hrw-r--r-- root/root /usr/share/man/man1/unpigz.1.gz link to
./usr/share/man/man1/pigz.1.gz
hrwxr-xr-x root/root /usr/bin/pigz link to ./usr/bin/unpigz
Files in first .deb but not in second
-------------------------------------
-rw-r--r-- root/root /usr/share/man/man1/unpigz.1.gz
-rwxr-xr-x root/root /usr/bin/pigz
hrw-r--r-- root/root /usr/share/man/man1/pigz.1.gz link to
./usr/share/man/man1/unpigz.1.gz
hrwxr-xr-x root/root /usr/bin/unpigz link to ./usr/bin/pigz
Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-2.2.4-1-] {+2.2.4-3+}
diff -Nurd pigz_2.2.4-1.debian/debian/changelog pigz_2.2.4-3.debian/debian/changelog
--- pigz_2.2.4-1.debian/debian/changelog 2012-05-08 22:59:23.000000000 +0200
+++ pigz_2.2.4-3.debian/debian/changelog 2013-02-28 20:17:36.000000000 +0100
@@ -1,3 +1,17 @@
+pigz (2.2.4-3) unstable; urgency=low
+
+ * removed hardening flags, this build is targeting Wheezy
+
+ -- Eduard Bloch <bl...@debian.org> Thu, 28 Feb 2013 20:16:03 +0100
+
+pigz (2.2.4-2) unstable; urgency=high
+
+ * Use 600 permissions for unfinished output files (CVE-2013-0296,
+ closes: #700608)
+ * started applying Debian hardening flags
+
+ -- Eduard Bloch <bl...@debian.org> Sat, 23 Feb 2013 13:44:42 +0100
+
pigz (2.2.4-1) unstable; urgency=low
* New upstream release
diff -Nurd pigz_2.2.4-1.debian/debian/patches/series pigz_2.2.4-3.debian/debian/patches/series
--- pigz_2.2.4-1.debian/debian/patches/series 2012-05-01 13:02:06.000000000 +0200
+++ pigz_2.2.4-3.debian/debian/patches/series 2013-02-28 20:15:20.000000000 +0100
@@ -0,0 +1 @@
+strict_temp_file_permissions
diff -Nurd pigz_2.2.4-1.debian/debian/patches/strict_temp_file_permissions pigz_2.2.4-3.debian/debian/patches/strict_temp_file_permissions
--- pigz_2.2.4-1.debian/debian/patches/strict_temp_file_permissions 1970-01-01 01:00:00.000000000 +0100
+++ pigz_2.2.4-3.debian/debian/patches/strict_temp_file_permissions 2013-02-28 20:14:29.000000000 +0100
@@ -0,0 +1,22 @@
+Index: pigz/pigz.c
+===================================================================
+--- pigz-2.2.4/pigz.c (Revision 4038)
++++ pigz-2.2.5/pigz.c (Arbeitskopie)
+@@ -3228,7 +3228,7 @@
+ memcpy(out, to, len);
+ strcpy(out + len, decode ? "" : sufx);
+ outd = open(out, O_CREAT | O_TRUNC | O_WRONLY |
+- (force ? 0 : O_EXCL), 0666);
++ (force ? 0 : O_EXCL), 0600);
+
+ /* if exists and not -f, give user a chance to overwrite */
+ if (outd < 0 && errno == EEXIST && isatty(0) && verbosity) {
+@@ -3244,7 +3244,7 @@
+ } while (ch != EOF && ch != '\n' && ch != '\r');
+ if (reply == 1)
+ outd = open(out, O_CREAT | O_TRUNC | O_WRONLY,
+- 0666);
++ 0600);
+ }
+
+ /* if exists and no overwrite, report and go on to next */
signature.asc
Description: Digital signature
